Hacking mobile network via SS7:

interception, shadowing and more

Dmitry Kurbatov
Vladimir Kropotov
Positive Research
Agenda

Intro
Attacks prerequisites, costs and case studies
Official and underground market brief
Possible Security measures
Forecasts
In Service LTE Networks
 VoLTE Networks

http://ltemaps.org/
The most of the world performs
HANGDOVER
LTE only for web browsing
To perform a call subscriber is downgraded to 3G (handover)
Interconnect / roaming
2G /
3G
SS7 GRX IPX
E1 IP IP

3G / 3G /
4G 4G
Kind of IPv4 vs IPv6 dilemma
SS7 is still most used interconnect/
roaming network
Mobility
Call control SS7
Billing SMS-C
Gateway
MSC
A
Crypto
MSC SS7 HLR
VLR

B Billing
2014 - year of SS7 security issues
Hackito Ergo Sum 2014
Locating mobile phones

Positive Hack Days IV

How to Intercept a Conversation Held on the
Other Side of the Planet

Washington Post
Secretly track cellphones

31C3
SS7: Locate. Track. Manipulate
Mobile self-defense
SS7 for (bad) guys
Tracking
Locating mobile phones and secretly tracking
Denial of Service
Disrupt subscriber connectivity and service availability
Interception
Listen to calls, intercept short messages
Threats to Operator
Threats to IoT
Basic Terms

IMSI ~ SIM Card

IMEI ~ Device
MSISDN ~ Your Number
HLR ~ Subscriber DB
MSC ~ Call Processing
Tracking / ()
Common Step 0 for Any Attack
I am
SMSC
1. Attacker sends request
SendRoutingInfoForSM
1 addressing MAP message
SMS-C by MSISDN
2
2. HLR replies with:
own address
MSC
serving MSC address
IMSI
HLR

Bob
Get Cell ID
I am
SMSC
1. Attacker sends request
1
provideSubscriberInfo
addressing MAP message
SMS-C by IMSI and asking for
2 subscriber location
2. MSC replies with Cell ID:
MSC
MCC - 250
MNC - 90
HLR
LAC 4A67
CID 673D

Bob
Get Location
Search in Internet for physical
location by MCC, MNC, LAC,
CID
1

MCC: 250
MNC: 90
LAC: 4A67
CID: 673D

Bob
and Track User Just Like SkyLock

http://s3.documentcloud.org/documents/1275167/skylock-product-description-2013.pdf
Underground market demands

Tracking subscriber
using the phone
number
Yep, Even in 2010
Tracking Nobody wants to be constantly
monitored.
Tracking is a violation of Personal data
protection laws.

Very hard to stop:

AnyTimeInterrogation

ProvideSubscriberInfo

ProvideSubscriberLocation
DoS /
To make someone unavailable
To stop data leakage
What else?
Common Step 0 for Any Attack
Fake
MSC 1. Attacker sends request
SendRoutingInfoForSM
1 addressing MAP message
SMS-C by MSISDN
2
2. HLR replies with:
own address
MSC
serving MSC address
IMSI
HLR

Bob
Denial of Service. Step 1
Fake
MSC 1. Attacker registers Bob on
the fake MSC
1 2. HLR sets up new location
SMS-C for Bob
2
3. HLR asks real MSC to
3
release a memory
MSC

HLR

Bob
Denial of Service. Step 2
Fake
MSC 1. Alex calls Bob
2. MSC is looking for Bob
and asks HLR to provide
1
SMS-C information
Alex 3 3. HLR asks fake MSC to
2 provide Roaming
MSC
Number

HLR

Bob
demo
Interception /
How to Intercept SMS ()
A virus on a smartphone and what if a certain subscriber is a
target? How to infect him particularly?
Reissue SIM? It works only once.
Radio signal interception (GSM A5/1)? You need to be nearby.
Via SS7 network
A Cheap Way For Tapping
10$ + OpenSource

+ +
(f)or
$$7
Common Step 0 for Any Attack
Fake
MSC 1. Attacker sends request
SendRoutingInfoForSM
1 addressing MAP message
SMS-C by MSISDN
2
2. HLR replies with:
own address
MSC
serving MSC address
IMSI
HLR

Bob
SMS Interception. Step 1
Fake
MSC 1. Attacker registers Bob on
the fake MSC
1 2. HLR sets up new location
SMS-C for Bob
2
3. HLR asks real MSC to
3
release a memory
MSC

HLR

Bob
SMS Interception. Step 2
Fake
MSC 1. Alex sends SMS to Bob
2. MSC translates the SMS
5 to SMS-C
1 2
SMS-C 3. SMS-C requests HLR for
Alex Bob`s location
3 4
4. HLR replies with a fake
MSC
MSC address
5. SMS-C translates SMS to
HLR
the fake MSC

Bob
demo
SMS Interception, We Really Missed You
Access to payment service
Recover passwords for email and
social networks
Online banking OTP
 Illegal cases SMS Interception
TBD

Payment confirmation
SMS Interception

Devices for
SMS Interception
Active actions and Impersonation

Mobile balance transfer over USSD

Premium Rate SMS Subscriptions
Credit cards money transfers via phone
Even fake calls from Victim number
How to Get Into SS7
How They Can Get Into SS7

Legal with license

Semi legal without Find a guy Hack border device
Find a Guy
Find a Guy
Find a Guy
Hack border device
Today: IP Connectivity
Misconfiguration Example

Critical
Research Updates
SS7 security threats
Mobile Internet vulnerabilities (GPRS)
SIM vulnerabilities

http://www.ptsecurity.com/library/whitepapers/
http://blog.ptsecurity.com/
Questions?

Dmitry Kurbatov Vladimir Kropotov

dkurbatov@ptsecurity.com vkropotov@ptsecurity.com